Banking Regulation 2024

Last Updated December 12, 2023


Law and Practice


Osborne Clarke N.V. is a future-focused international legal practice with over 330 Partners and more than 1260+ talented lawyers working across 26 global locations. Osborne Clarke is a full-service office with nine law practices in the Netherlands: financial regulatory, banking and finance, corporate M&A, employment, pensions and incentives, tax, litigation and arbitration, real estate and infrastructure, tech, media and comms and notarial law. Osborne Clarke‘s financial regulatory practice has a standout reputation with clients and Dutch regulators. The financial regulation team primarily represents innovative and tech-driven clients in the field of banking, payments, investment services and cryptocurrency. It is also known as one of the most significant Dutch practices for licence applications to key regulators – the DNB and the AFM.

Laws and Regulations Applicable to Dutch Licensed Banks

Dutch licensed banks are regulated by a broad set of laws which predominantly arise from European directives, regulations and guidelines issued by the European supervisory authorities.

The main European regulations (not exhaustive) are:

  • the Capital Requirements Directive (2013/36/EU);
  • the Capital Requirements Regulation ((EU) 575/2013);
  • the Deposit Guarantee Schemes Directive (2014/49/EU);
  • the Bank Recovery and Resolution Directive (2014/59/EU);
  • the Anti-Money Laundering Directive ((EU) 2015/849), as amended, AMLD);
  • to the extent that a bank performs investment services: the second Markets in Financial Instruments Directive (2014/65/EU), the Markets in Financial Instruments Regulation ((EU) 600/2014) and delegated regulations and technical standards thereto; and
  • for payment services provided by the bank: the revised Payment Services Directive ((EU) 2015/2366).

European Regulations have direct effect in the Netherlands and are not separately copied in Dutch laws. The abovementioned  European Directives, except AMLD, are implemented in Dutch law in the Dutch Financial Supervision Act (Wet op het financieel toezicht, DFSA) and underlying regulations. AMLD is implemented in the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme).

The DFSA is the main law governing financial institutions, including banks, and, for example, provides rules on authorisation, the code of conduct, capital, capital markets, and division of tasks/co-operation between the relevant regulatory authorities.

In addition to implementing European laws, the DFSA contains purely national laws, such as rules on the duty of care that applies to banks and remuneration rules, which are more stringent than European laws.

Another important source of regulation is formed by a set of guidelines issued by the European Banking Authority (EBA). Although these guidelines are not formal law, the Dutch Central Bank (De Nederlandsche Bank, DNB) must apply these guidelines unless it has informed the EBA that it will deviate from the guidelines, which only happens on rare occasions. For example, the EBA guidelines provide detailed rules on the governance of banks and outsourcing of operations by banks. Also notable is the ECB Guide on climate-related and environmental risks.

Supervisory Authorities

The main regulators for banks are:

  • the European Central Bank (ECB);
  • the DNB; and
  • the Dutch Authority for the financial markets (Autoriteit financiele markten, AFM).

The division of tasks between the ECB and the national regulators is based on the SSM Regulation and the SSM Framework Regulation, and is summarised below.

  • The ECB is responsible for (i) granting and revoking bank licenses; (ii) granting Declarations of No Objection (verklaring van geen bezwaar, DNO) to qualified holders in a licensed bank, being those entities/persons that (in)directly hold 10% or more of the shares, voting right or comparable control in a bank; and (iii) ongoing supervision of banks that qualify as significant institutions. Ongoing supervision is performed by Joint Supervisory Teams (JSTs), which are composed of ECB staff and staff of the national regulators.
  • Under overall oversight by the ECB, the DNB is responsible for prudential supervision of non-significant banks.
  • The AFM is responsible for ongoing code of conduct supervision of non-significant banks (gedragstoezicht).

The AFM and the DNB closely co-operate. In practice, Dutch-licensed banks primarily interact with the DNB as part of ongoing supervision, including code of conduct supervision.

Introduction to Banking Licenses in the Netherlands

The requirement to obtain a banking license in the Netherlands is laid down in the DFSA in conjunction with the Capital Requirements Regulation (CRR). Broadly, a license is required when an institution both (i) takes deposits or other repayable funds from the public (such as attracting debt); and (ii) grants credit for its own account.

Limited exemptions to the license requirement exist, such as the exemption for group financing companies, which covers institutions that raise funds through the issuance of securities and use these funds within their corporate group, subject to certain conditions.

The available services that a bank can apply for under a license are set out in Annex I to the Capital Requirements Directive (CRD). At a minimum, such services must include taking deposits and other repayable funds, as well as granting credit for own account. Depending on the activities of the institution, other services set out in this Annex must be applied for as part of the license application process or later added following a license expansion or notification procedure. These include but are not limited to:

  • investment activities or investment services originating from the Markets in Financial Instruments Directive 2 (MiFID2);
  • e-money and payment services originating from the Electronic Money Directive 2 (EMD2) and Payment Services Directive 2 (PSD2); and
  • consumer credit provision and servicing.

Further, all ten services following from the Markets in Crypto Assets Regulation (MiCAR) will be available to banks as well following the notification procedure at the end of 2024. In all cases the respective bank must adhere to relevant additional conduct of business requirements set out in the DFSA or applicable regulations.

Licensing Process

In practice, two phases can be distinguished in the process of obtaining a banking license: the preliminary phase and the formal phase. The preliminary phase is used by the DNB and the ECB to provide feedback to the applicant prior to the formal license being submitted. Formal submission must be done via the IMAS portal operated by the ECB. The application itself, along with all subsequent communication, is conducted primarily in English through the DNB. This reflects the international standards and practices of the banking industry. The DNB offers comprehensive resources on its website, providing applicants with essential information on relevant laws, terms, and regulations. This includes updates and guidance, ensuring applicants are well-informed throughout the process.

Once the formal license application is received, the formal decision-making timeframe is 26 weeks. However, this period can be extended if further information is required or if additional questions arise from the application. The quality and completeness of the application are crucial as they significantly influence the duration of the process. Upon finalisation of the review by the DNB, the DNB provides a draft proposal to the ECB and the ECB will issue the final decision on the license application. In practice, close to finalisation of the review by the DNB, the DNB will first share a written intention for a draft proposal with the ECB. The ECB will then review and provide feedback to the DNB, allowing the DNB and the applicant to address concerns that the ECB may have with the draft proposal.

The banking license application process, overseen by the DNB and the ECB, is designed to ensure that new banking entities meet the many standards necessary for operating in the financial sector. In addition to the license application process, all direct and indirect qualifying shareholders of the prospective bank have to obtain a DNO from the ECB. The application process for DNOs runs parallel to the banking license process and ultimately is part of the draft proposal prepared by the DNB for the ECB to formally decide on.

The cost of processing a banking license application applies regardless of the outcome of the application, whether it results in the granting, rejection, withdrawal, or a temporary hold of the license.

European Passport

A Dutch-licensed bank that seeks to provide services in other European Economic Area (EEA) jurisdictions can do so on the basis of a so-called European passport, either by opening a branch or providing cross-border services in the respective EEA jurisdictions. The process of obtaining a passport involves several stages.

A Dutch-licensed bank can follow a passport notification procedure through the IMAS portal of the ECB which will then be forwarded to the DNB. The services that a Dutch-licensed bank can provide in other EEA jurisdictions may be all or a selection of services for which the Dutch-licensed bank is authorised. When launching new activities or changing notification details, the Dutch-licensed bank must re-run the notification procedure. On receipt of a European passport notification, the DNB, as regulator of the home member state, will assess the completeness and accuracy of the information provided. Where the information provided in the notification is assessed to be incomplete or incorrect, the DNB must inform the bank without delay, indicating in which respect the information is assessed to be incomplete or incorrect. The DNB must, within one month of receipt of a complete and accurate notification, send that notification to the competent regulator of the host state.

To establish a branch, the DNB submits the branch notification to the host state regulator within thirteen weeks. The host state regulator then has two months to prepare its supervision for the new branch. Unlike the provision of cross-border services, a branch can start its activities two months after the host state regulator confirms the receipt of a complete notification.

For the acquisition, holding, or increase of a qualifying holding in a Dutch-licensed bank, prior approval from the ECB is required in the form of a DNO.

The requirements regarding DNOs are laid down in sections 1.6.1a and DFSA. Furthermore, the following guidelines are relevant:

  • EBA, EIOPA and ESMA Guidelines on qualifying holdings of December 2016 (the “Joint Guidelines”); and
  • ECB Guide on qualifying holding procedures of March 2023.

Qualifying Holding

There are three situations in which a qualifying holding exists:

  • a direct or indirect holding of 10% or more of the issued capital of a Dutch-licensed bank;
  • the power to exercise, directly or indirectly, 10% or more of the voting rights in a Dutch-licensed bank; or
  • the power to exercise a significant influence over the management of a Dutch-licensed bank.

To assess whether qualifying holdings exist, the ownership chain of the Dutch-licensed bank must be analysed using the calculation methods set out in the Joint Guidelines. The calculation methods include certain aggregation rules. One such rule is that for parties that “act in concert”, the holdings of the relevant parties are aggregated, and each party is considered to hold the resulting aggregated percentage. The Joint Guidelines list various indicative factors for acting in concert, including the existence of family relationships or a consistent voting pattern.

In complex acquisition structures, such as private equity firms, sovereign wealth funds and conglomerates, an extensive qualifying holding analysis may be required.

DNO Application

A DNO must be obtained from the ECB. The DNB plays a key role in preparations and serves as the primary contact. The DNO application form is to be submitted through the ECB’s IMAS Portal. The current version of the form requests applicants to also submit one or more ancillary forms through the DNB’s MyDNB Portal. The statutory consideration period is 62 business days, which can be extended once by 30 business days if supplementary information is needed.

The DNO assessment encompasses at a high level the following areas:

  • (i) the integrity (betrouwbaarheid) and reputation (reputatie) of the qualifying holder;
  • (ii) the financial soundness of the qualifying holder;
  • (iii) whether the licensed bank will be able to continue meeting its prudential requirements as a result of the holding; and
  • (iv) whether the holding may involve actual or attempted money laundering or terrorist financing or might increase the risk thereof.

For legal entity DNO applicants, the individuals who effectively direct the business of the legal entity are also screened. This screening primarily relates to areas (i) and (iv).

Ongoing Requirements

Once the DNO is obtained, ongoing requirements apply towards the ECB and/or DNB, such as the requirements to:

  • notify material changes in previously provided information or circumstances;
  • report any instances where the holding falls below 10%, 20%, 33%, 50% or 100%;
  • obtain a new DNO before increasing the holding to or above 20%, 33%, 50% or 100%, unless the threshold falls within the specified bandwidth of the existing DNO; and
  • obtain prior approval for appointing new individuals who effectively direct the business of a legal entity holding a DNO.

The legal basis for the corporate governance requirements applicable to Dutch-licensed banks follows from (i) the DFSA; (ii) Book 2 of the Dutch Civil Code (Burgerlijk Wetboek); (iii) the EBA Guidelines on internal governance; and (iv) the Dutch Corporate Governance Code (DCGC). 

Two-tier Model

The DFSA determines that a Dutch-licensed bank must apply a two-tier model, whereby management is separate from supervision. Management is performed by a management board consisting solely of executive directors, while management supervision is carried out by the supervisory board. As follows from the Dutch Civil Code and the EBA Guidelines on internal governance:

  • the management board is responsible for the general day-to-day operations of the bank; and
  • the supervisory board supervises the management board and provides the management board with solicited and unsolicited advice. 

The DFSA determines that the day-to-day operations of the bank must be determined by at least two individuals that operate from the Netherlands. The day-to-day management is considered to be performed by the management board.

The supervisory board must consist of at least three individuals. All members of the supervisory board must be independent in mind and appearance. In addition, at least 50% of the supervisory board members must meet formal independence criteria. If a bank is significant, the supervisory board must establish a risk committee, nomination committee, and a remuneration committee from among its members.

EBA Guidelines on Internal Governance

Apart from the statutory laws set out in the DFSA, the EBA Guidelines on internal governance are the main source as regards the organisation of the internal governance of banks. The EBA Guidelines contain detailed provisions regarding a broad set of topics which focus on ensuring sound internal governance. For example, the EBA Guidelines determine that banks must have a compliance function, a risk function and an independent internal audit function and provide detailed provisions as regards the composition and tasks of such functions.


In addition to the EBA Guidelines on internal governance, the DCGC provides best practices regarding (i) sustainable long-term value creation; (ii) effective management and supervision; (iii) remuneration; and (iv) the relationship with and role of the shareholders. The DCGC is formally only applicable to listed companies. However, the DNB generally expects Dutch-licensed banks to take the DCGC into account. The DCGC applies on a “comply or explain” basis.

Fit and Proper Screening

Individuals appointed as management board members (ie, day-to-day policymakers) or as supervisory board members are subject to screening by the DNB or the ECB. The division of tasks between the DNB and the ECB depends on whether it concerns screening in the context of a license application and whether it concerns a significant or non-significant bank.

The regulator (ie, the DNB or the ECB) assesses whether the integrity (betrouwbaarheid) of the individual subject to screening is beyond doubt and whether the individual is suitable (geschikt) for the function. This is sometimes also referred to as fit and proper screening.

Integrity screening relates to the individual and not to the function that the individual will hold. Integrity is assessed on the basis of antecedents disclosed in a standard questionnaire. Suitability screening involves an assessment of whether the individual has sufficient and relevant knowledge, work experience and other relevant competencies for the function to be held.

Screening Requirements for Second-Echelon Functions

Screening criteria also apply to second-echelon functions. The second echelon is comprised of individuals who fulfil a management position directly below the executive board, and who will be responsible for natural persons whose activities can have a significant impact on the risk profile of the Dutch-licensed bank. For the second echelon, the DNB assesses the integrity and the bank itself must establish whether the individual is suitable.

An individual cannot assume their position until receiving a positive screening decision from the regulator.

The legal basis for the remuneration requirements applicable to Dutch-licensed banks follows from the DFSA, the Regulation on Sound Remuneration Policy DFSA (Regeling beheerst beloningsbeleid Wft 2021, Rbb),  the EBA Guidelines on Sound Remuneration policies, and the DCGC.

These regulations and guidelines differentiate between several types of staff, and each may have different requirements for fixed remuneration and variable remuneration.


The remuneration rules in the DFSA apply to individuals working under the responsibility of the Dutch-licensed bank, and its subsidiaries. The most relevant remuneration requirements under the DFSA are as follows:

  • Remuneration policy requirements: Banks must have a remuneration policy tailored to their size and activities, among others setting out specific principles for awarding fixed and variable remuneration.
  • Disclosure requirements: Banks must publish a description of their remuneration policy in their annual accounts and on their website, including information on the amount of variable remuneration awarded.
  • Bonus cap: The amount of variable remuneration awarded must be limited to 20% of the individual’s fixed remuneration. There are limited exemptions to this bonus cap, such as for individuals predominantly working outside of the Netherlands.
  • Welcome bonuses and severance payments: Banks can only award guaranteed variable remuneration (welcome bonuses) and severance payments under specific conditions. 
  • Malus and clawback: In certain circumstances, banks can reduce or reclaim variable remuneration (also known as malus and clawback measures).
  • Retention of shares: A retention requirement of five years applies to shares (or comparable instrument) awarded by the bank as fixed remuneration.

A breach of these remuneration rules, such as an employment contract in breach of the Dutch bonus cap rules, is considered null and void (nietig) under Dutch law.


The RBB contains remuneration requirements for individuals who can materially affect the risk profile of the bank (identified staff). The Rbb implements most of the remuneration requirements following CRD IV. As follows from the Rbb: 

  • The supervisory board must adopt the remuneration policy of the bank, and must be responsible for reviewing and implementing this policy.
  • Significant banks must establish a remuneration committee responsible for, inter alia, preparing remuneration decisions to be made by the supervisory board. 
  • A significant portion of variable remuneration (at least 50%) must consist of shares (or comparable instruments), which must also be subject to an appropriate retention period linked to the bank’s performance.
  • When awarding variable remuneration, a considerable portion (at least 40%) must be deferred over a period of at least four to five years (depending on the individual’s role).

An exemption exists to the financial instruments and deferral requirements described above, available to small banks and individuals who are awarded a certain (limited) amount of variable remuneration.

EBA Guidelines on Sound Remuneration Policies

The DNB applies the EBA Guidelines in its supervision of Dutch-licensed banks, which further detail the remuneration requirements as set out in the DFSA and Rbb. The EBA sets detailed remuneration requirements, such as on the identification process of identified staff, the tasks and responsibilities of the remuneration committee and the pay-out process for variable remuneration.

Dutch Corporate Governance Code

According to the DCGC, the supervisory board should determine the remuneration of the individual management board members, within the boundaries of the management board remuneration policy as adopted by the general meeting of the company.

The Dutch legal framework on anti-money laundering and counter-terrorist financing (AML-CFT)  primarily consists of the following legislation and guidelines:

  • the Dutch anti-money laundering act (Wet ter voorkoming van witwassen en financieren van terrorisme, Dutch AML Act) and underlying regulations;
  • EBA Guidelines, such as the EBA Guidelines on ML/TF risk factors; and
  • the DNB Guideline on AML-CFT, which is expected to be replaced by the DNB AML-CFT Q&As and Good Practices that were consulted by the DNB in October 2023.

Dutch AML Act

The three main elements of the Dutch AML Act are outlined below.

AML-CFT risk analysis

The Dutch AML Act follows a risk-based approach. The actual measures that banks implement in the context of these requirements depend on the associated risks. The cornerstone of the risk-based approach is the AML-CFT risk analysis, based on which the concrete AML-CTF measures must be determined. The AML-CFT risk analysis is often part of the Systematic Integrity Risk Analysis (SIRA).

Customer due diligence (CDD)

The purpose of conducting CDD is that the bank knows who it is doing business with. CDD, among others, requires the bank to identify and verify the identity of a customer, its Ultimate Beneficial Owner(s) (UBO), the individual(s) representing the customer and the purpose and nature of the business relationship.

CDD is required when the bank enters into a business relationship with a customer or when it conducts an incidental transaction(s) amounting to EUR15,000 or more on behalf of the customer. The bank applies (i) regular; (ii) simplified; or (iii) enhanced CDD, each with minimum requirements depending on the customer risks involved.

Throughout the business relationship, the bank is obligated to conduct CDD reviews, typically triggered periodically or based on specific events.

Transaction monitoring

Banks must monitor transactions within a business relationship to identify unusual activities by means of objective and subjective indicators as laid down in the Dutch AML Act. If a transaction meets certain criteria, it qualifies as unusual and must be promptly reported to the Financial Intelligence Unit Netherlands (FIU-NL).

New AML-CFT Industry Baselines

A recent development in 2023 is that the DNB has entered into discussions with the Dutch Banking Association (De Nederlandse Vereniging van Banken, DBA), of which nearly all Dutch banks are members. The aim of the discussions is to come to an AML-CTF framework that increases the impact on clients that pose actual risks, while minimising the impact on bona fide clients. As a result of these discussions, the DBA has drafted and published industry baselines that set out the clear starting points for the risk-based application of the open standards in the Dutch AML Act in CDD by banks.

Dutch Deposit Guarantee Scheme

The Dutch Deposit Guarantee Scheme (DGS) is laid down in Section 3.5.6 of the DFSA and the relevant regulations thereto. The DGS implements the EU Directive 2014/49/EU on deposit guarantee schemes. The DGS regime is administered by the DNB and the DGS funds are kept in the Deposit Guarantee Fund (depositogarantiefonds, DGF) which is managed by the DNB.

Since 2016, Dutch-licensed banks have been required to contribute to the DGF quarterly. The target is for the DGF to reach at least 0.8% of the deposits guaranteed under the DGS by 2024. These contributions are divided into collective and individualised components, with the DNB determining each bank’s contribution based on their deposit base and that of all banks combined. Supplementary contributions may be set if covered deposits increase. When the DNB has to repay depositors out of the DGF, but the available funds in the DGF are not sufficient to finance the payments, extraordinary contributions are levied. The DNB determines these contributions ex post and may ask banks for an advance payment if needed.

Accounts Eligible for Protection Under the Dutch DGS

Various types of accounts are eligible for protection under the DGS. These include:

  • Payment Accounts: This category covers standard bank accounts used for daily financial transactions, such as current accounts.
  • Savings Accounts: Accounts specifically designated for saving money, which may offer interest on the saved amount, are protected.
  • Fixed-Term Deposits: These are deposits made for a fixed period, often at a fixed interest rate, and cannot be accessed until the term ends without incurring penalties.
  • Life-Cycle Saving Schemes: These accounts are designed for long-term saving, often linked to significant life events like retirement.
  • Bank Savings Accounts: Similar to regular savings accounts, these accounts may have specific terms and conditions regarding deposits and withdrawals.
  • Investment Accounts: These accounts hold investments rather than cash.

It is important to note that while the account itself may be covered, investment products (like shares or bonds) held within these accounts are not covered by the DGS. Furthermore, subordinated deposits are generally not covered by the DGS.

The types of account holders covered include:

  • Natural persons: Personal account holders, irrespective of their age, nationality, or residence status, are covered by the DGS.
  • Businesses: Small, medium, and large businesses holding accounts in participating banks are eligible for protection.
  • Associations and Foundations: Non-profit organisations, including associations and foundations, are also covered under the scheme.
  • Joint Account Holders: Accounts held jointly by multiple individuals are protected. The coverage is typically divided equally among the account holders unless a different division is agreed upon.

Notably, the DGS excludes certain account holders from its protection, such as account holders involved in financial crimes and account holders who have failed to provide necessary identity verification documents.

Maximum Reimbursement

The maximum reimbursement under the DGS is EUR100,000 per account holder per bank. This applies collectively to all the accounts a person holds with the same bank. Joint accounts and accounts held in the names of two or more legal persons have their cover calculated proportionately, unless a different division is agreed upon in advance. The limit of EUR100,000 still applies in these cases.

In the Netherlands, there are no specific legal provisions on bank secrecy. Nevertheless, all customer data must be treated as confidential by Dutch-licensed banks.

Obligations to Share Customer Data

The confidentiality obligations are embedded in the rules on the duty of care requirements, various data protection and privacy laws that apply to banks and follow from the contractual relationship between a bank and its customers. Information can be regarded as confidential if there are obligations to customers or other counterparty relationships binding a bank to confidentiality. Not treating customer data confidentially may therefore result in a violation of that contract, data privacy laws or, as the case may be, the rules on the duty of care that apply to a bank.

However, in some instances, Dutch-licensed banks may be required to provide personal data to authorities such as the Dutch Tax and Customs Administration (for preventing tax evasion purposes), or the public prosecutor’s office (for criminal investigation purposes). Such legal obligations follow inter alia from the DFSA and the Dutch AML Act. Additionally, Dutch-licensed banks are required to provide data to the DNB of deposit holders for the purpose of the DGS. Please refer to 6.1 Depositor Protection Regime.

For the purposes of fraud prevention, Dutch-licensed banks are permitted by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) to share consumer data with certain third parties under strict conditions, despite strict privacy laws.

Data Referral Portal

The Banking Information Reference Portal, as introduced in September 2020, is a digital facility for automated disclosure of identification data demanded by competent investigative authorities and the Dutch Tax and Customs Administration. As follows from the DFSA, Dutch-licensed banks and other payment service providers offering accounts with a Dutch international bank account number (IBAN, as referred to in the SEPA Regulation) are under a statutory duty to comply with demands for disclosure from these authorities. The DNB is responsible for monitoring institutions’ compliance with the statutory duty to register with the Banking Information Reference Portal.

Bankers’ Oath

All employees of a Dutch-licensed bank working in the Netherlands must take an oath or affirmation of good conduct (the Bankers’ Oath), regardless of the nature of their contract. By taking the oath or affirmation, an employee declares that they will follow the code of conduct and the disciplinary regulations for the banking sector (Tuchtreglement bancaire sector). This means, among other things, that the bank employee shall not provide any confidential information about customers to third parties without the customer’s permission. The employee shall only disclose information about customers when required to do so by law, a judge or the supervisory body.

The obligation to take the Bankers’ Oath also applies to employees of Dutch branches of banks that do not have a seat in a member state.

Prudential Regime for Banks

The legal basis for prudential supervision in the Netherlands follows from CRR and CRD IV as implemented in the DFSA and the Decree on Prudential Rules for Financial Undertakings (Besluit Prudentiële regels Wft, Bpr). These rules cover risk management, capital requirements and liquidity requirements for Dutch-licensed banks and branches of banks with a registered office in a non-member state conducting business in the Netherlands.

The prudential rules of CRR and CRD IV are the European implementation of the international Basel III standards (Basel III). Basel III is an international regulatory framework that aims to strengthen the regulation, supervision and risk management of the banking sector.

Risk Management

Dutch-licensed banks are required to have sound risk management policies to control relevant risks. Relevant risks at least include concentration risks, credit risks, counter-party risks, liquidity risks, market risks, operational risks, interest rate risks from non-trading activities, rest risks, risks due to excessive leverage, securitisation risks, insurance risks, lapse risk and risks arising from the macro-economic environment in which the bank operates and which are related to the state of the business cycle.

Risk management policies must be translated into specific procedures and measures to control the relevant risks and must be integrated into the business processes of the bank. The procedures and measures must consist of, inter alia, authorisation procedures, limit settings and limit monitoring tailored to the bank’s nature, size, risk profile and complexity.

Dutch-licensed banks must have an independent risk management function. This function is tasked with systematically and independently conducting risk management, aimed at identifying, measuring and evaluating the risks the bank are exposed to. The management board and the supervisory board must be actively involved in a bank’s risk management.

Capital Requirements

To ensure financial stability and mitigate risks, banks are subject to two distinct regulatory measures: capital requirements and liquidity requirements. The first set of measures follows from the CRR, and aims to establish minimum capital requirements for credit, market, and operational risks. This requires banks to maintain an adequate capital buffer to absorb unexpected financial setbacks. Capital requirements can be divided into (i) qualitative; and (ii) quantitative requirements.

Qualitative requirements

The CRR addresses the quality of capital by the extent to which the capital can absorb losses and classifies the capital into different tiers.

Tier 1 capital, comprised of Common Tier 1 (CET1) capital and Additional Tier 1 (AT1) capital:

  • CET1 capital: As the highest quality of capital, CET1 capital represents the core equity capital of a bank and enables it to absorb losses immediately without significantly impacting its operations or stability. It consists of capital instruments, share premium accounts related to these capital instruments, retained earnings, accumulated other comprehensive income, other reserves and funds for general banking risks.
  • AT1 capital: AT1 capital is Tier 1 capital that is not CET1 capital and consists of capital instruments and the share premium accounts related to these capital instruments. AT1 capital has certain characteristics; eg, the provisions governing the instruments must require that, when the CET1 capital ratio falls below 5.125%, the principal amount of the instruments will be written down on a permanent or temporary basis or the instruments will be converted into CET1 instruments.
  • Tier 2 capital: Tier 2 capital is considered to be of lower quality. This tier includes instruments such as subordinated debt instruments, which hold a subordinate position to other debts in the event of liquidation or bankruptcy. While Tier 1 capital forms the primary layer of a bank’s capital structure, Tier 2 capital provides an additional cushion.

Quantitative requirements

In order to ensure that banks maintain sufficient financial cushion to absorb potential losses, the CRR addresses the quantity of capital by stipulating that banks must maintain specific capital ratios, expressed as percentages of the total risk exposure amount. This exposure amount is calculated using risk-weighted assets. Banks must maintain (i) a Common Equity Tier 1 capital ratio of 4.5%; (ii) a Tier 1 capital ratio of 6%; and (iii) a total capital ratio of 8%.

The leverage ratio is calculated by dividing a bank’s Tier 1 capital by its total exposure. Unlike the capital ratios above, the leverage ratio takes into account the unweighted total exposure rather than the total risk-weighted exposure. Banks are required to maintain a minimum of 3% leverage ratio.

In addition to the mentioned capital ratios, banks must uphold a capital buffer, comprising the following elements: (i) the capital conservation buffer, set at 2.5%, which consists of CET1 capital; and (ii) the institution-specific countercyclical capital buffer, determined by the DNB and presently set at 2%.

Systemically important banks may be subject to additional buffer requirements, including a Global Systemically Important Institution buffer (G-SII) or an Other Systemically Important Institution (O-SII) buffer, as well as a systemic risk buffer.

Liquidity requirements

Besides the capital requirements, Dutch-licensed banks must adhere to liquidity requirements. These requirements are designed to guarantee that Dutch-licensed banks maintain an adequate amount of liquid assets to fulfil their short-term obligations, particularly in times of financial strain. The CRR outlines two primary liquidity requirements: the liquidity coverage ratio and the stable funding ratio.

The liquidity coverage ratio focuses on short-term liquidity risks and requires banks to hold sufficient liquid assets to be able to convert these assets into cash under stressed conditions over a thirty-day period. The stable funding ratio, on the other hand, focuses on the long-term liquidity risks and requires banks to ensure that their long-term obligations are met with diverse stable funding instruments.

The key piece of legislation around insolvency, recovery and resolution of banks is the Bank Recovery and Resolution Directive (BRRD). BRRD is implemented in Part 3A of the DFSA.

The BRRD serves the purpose of ensuring the continuity of a bank’s critical financial and economic function, while minimising the impact of a bank’s failure on the economy and financial system. To that effect, the BRRD provides the national resolution authorities (the DNB in the Netherlands) with a set of tools to intervene sufficiently early and quickly in an unsound or failing bank.

The BRRD distinguished three phases with regard to recovery and resolution:

  • recovery and resolution planning (Title II BRRD);
  • early intervention for recovery (Title III BRRD); and
  • resolution (Title IV BRRD).

Phase 1: Recovery and Resolution Planning

Dutch-licensed banks must establish a recovery plan. The recovery plan must include a framework of qualitative and quantitative indicators identifying the points at which escalation processes/action plans must be activated. The EBA has issued guidelines on the minimum indicators that banks must include in their recovery plan (EBA Guidelines on recovery plan indicators).

The DNB, as the resolution authority in the Netherlands, must establish a recovery plan for each licensed bank. The recovery plan will be based on information to be provided by the respective bank.

Recovery and resolution plans must be updated at least annually.

Phase 2: Early Intervention for Recovery

If the financial condition of a bank is rapidly deteriorating (as further set out in the EBA Guidelines on early intervention triggers), the BRRD confers a number of powers on the DNB to intervene. These powers include:

  • convening (with or without management co-operation) a meeting of shareholders of the bank and requiring certain decisions to be considered for adoption by the shareholders;
  • requiring one or more members of the management body or senior management to be removed or replaced; and
  • requiring changes to the strategy, legal or operational structures.

If the powers reflected above do not suffice, the DNB may impose the following (additional) measures:

  • the removal of the senior management or management body of the institution, in its entirety or with regard to individuals; or
  • the appointment of one or more temporary administrators to the bank.

Phase 3: Resolution

The BRRD provides for resolution tools. The aim of applying such tools is (i) to ensure the continuity of critical functions; (ii) to avoid a significant adverse effect on the financial system; (iii) to minimise reliance on public financial support (ie, prevent a bailout); and (iv) to protect depositors, client funds and client assets.

Resolution tools can only be applied if all of the following conditions are met:

  • (i) the DNB determines that the bank is failing or is likely to fail;
  • (ii) there is no reasonable prospect that any alternative private sector measures, including the write-down or conversion of relevant capital instruments and eligible liabilities, would prevent the failure of the bank within a reasonable timeframe; and
  • (iii) resolution is necessary in the public interest.

As regards condition (i), a bank is failing or likely to fail if:

  • the bank infringes or likely will, in the near future, infringe the requirements for continuing authorisation in a way that would justify the withdrawal of the authorisation;
  • the assets of the bank are or will, in the near future, be less than its liabilities;
  • the institution is or will, in the near future, be unable to pay its debts or other liabilities as they fall due; or
  • extraordinary public financial support is required.

The BRRD distinguishes four resolution tools, which may be applied individually or in any combination, as outlined below.

The sale of business tool

  • The DNB can transfer the shares in the bank or (part of) the assets, rights or liabilities to a purchaser that is not a bridge institution. This transfer does not require shareholder consent.
  • If only the sale of business tool is used and only part of the assets are transferred, the bank and its remaining assets/activities shall be wound up under normal insolvency proceedings.

The bridge institution tool

  • The DNB can transfer the shares in the bank or (part of) the assets, rights or liabilities to a bridge institution. This transfer does not require shareholders consent.
  • A bridge institution must be wholly or partially owned by one or more public authorities and is controlled by the DNB.
  • The purpose of the bridge institution is maintaining access to critical functions of the bank and selling the bank.
  • If only the bridge institution tool is used and only part of the assets are transferred, the bank and its remaining assets/activities shall be wound up under normal insolvency proceedings.

The asset separation tool

  • The DNB can transfer assets, rights or liabilities of a bank or a bridge institution to one or more asset management vehicles. This transfer does not require shareholder consent.
  • An asset management vehicle must be wholly or partially owned by one or more public authorities and controlled by the DNB.
  • The asset management vehicle will manage the assets transferred to it with a view to maximising their value through eventual sale or orderly wind-down.

The bail-in tool

  • The bail-in tool is applied to absorb losses and recapitalise the distressed bank so that it once again meets its license requirements.
  • The bail-in tool allows unsecured debt to be written down or converted to equity. That way, the creditors of a bank bear the losses and the need for a taxpayer bailout is avoided.
  • The bail-in tool may be applied to all liabilities of a bank except for the liabilities excluded by the BRRD, which include covered deposits, secured claims, claims with an original maturity of fewer than seven days, claims of employees, claims of commercial or trade creditors and claims arising from the provision of goods or services to the bank that are critical to the daily functioning of its operations, including IT services, utilities and the rental, servicing and upkeep of premises.
  • Once CET1 capital instruments have been wholly or partly written down, non-excluded liabilities are written down or converted into rights to newly issued shares or other instruments of ownership of the bank.
  • For bail-in, the “no creditor worse off principle” applies, meaning that shareholders and creditors may not incur greater losses than they would have incurred if the bank had been wound up immediately beforehand under normal insolvency proceedings.

Minimum Requirements for Own Funds

Banks are subject to minimum requirements for own funds and eligible liabilities (MREL). The MREL serve to ensure that a bank maintains at all times sufficient eligible instruments to facilitate the implementation of the preferred resolution strategy. MREL is the European equivalent of worldwide Total Loss Absorbing Capacity standard (TLAC) developed by the Financial Stability Board (FSB).


If a bank is unable to meet its obligations towards eligible deposit holders, such deposit holders are protected under the Dutch implementation of the DGS. Please see 6.1 Depositor Protection Regime.

Banking Union

The banking union was created in 2014 as a key component of the economic and monetary union at European level in response to the financial crisis. To ensure a safer financial sector for the single market, the “single rulebook” was created as the backbone of the banking union and financial sector regulation in the EU. The banking union aims to ensure that the banking sector in the EEA is stable, safe and reliable, thus contributing to financial stability. The banking Union is undergoing continuous development as new initiatives are underway to strengthen its foundations.

In June 2022, the Eurogroup issued a statement on the future of the banking union, noting that the banking union remains incomplete. The Eurogroup agreed that the banking union should focus on strengthening the common framework for bank crisis management and national deposit guarantee schemes (CMDI framework).

The Commission put forward a proposal for a reform of the CMDI framework in April 2023, with a focus on medium-sized and smaller banks. The package includes legislative proposals on amending the bank recovery and resolution directive, the single resolution mechanism regulation and the deposit guarantee schemes directive. The reform aims to protect taxpayers’ money in crisis situations, shield the real economy from the impact of bank failures and strengthen depositor protection across the EEA.

Capital Markets Union

The Capital Markets Union (CMU) is the EU’s plan to create a truly single market for capital across the EU. Efforts to harmonise the EU’s capital markets are ongoing, while regulators are also looking to amend a number of existing rules. The CMU Action Plan, published by the European Commission in November 2021, includes legislative proposals relating to the following areas:

  • European Single Access Point (ESAP): Under the provisional agreement, the ESAP platform is expected to be available from summer 2027 and will be phased in gradually to enable a robust implementation.
  • Review of the European Long-Term Investment Funds (ELTIFs) regulation.
  • Review of the Alternative Investment Fund Managers Directive (AIFMD): The review aims to better integrate the alternative investment funds (AIFs) market, improve investor protection and companies’ access to more diversified forms of financing, as well as strengthen managers’ ability to deal with liquidity pressure in stressed market conditions.
  • Review of the Markets in Financial Instruments Regulation (MiFIR): The review includes the establishment of an EU-wide consolidated tape for shares, bonds, exchange-traded funds (ETFs) and derivatives, to increase market transparency and facilitate access to trading data. Another priority is to ensure that EU market infrastructure can remain competitive internationally.

There are a number of other legislative proposals under negotiation between the Council and the Parliament that relate to the CMU. The CMU provides an opportunity to harmonise market practices and enhance technical integration.

EU Banking Package

On 27 June 2023, the Council of the EU announced that it had reached provisional political agreement with the European Parliament (EP) on the proposed Directive amending CRD IV as regards supervisory powers, sanctions, third-country branches and ESG risks and the proposed Regulation amending the CRR as regards requirements for credit risk, credit valuation adjustment (CVA) risk, operational risk, market risk and the output floor.

The package implements the final set of international standards agreed by the EU and its G20 partners in the Basel Committee on Banking Supervision, so-called Basel III. Beyond the implementation of Basel III standards, the package also contains a number of measures to keep the EU prudential framework fit for purpose in terms of sustainability risks and in terms of supervision, including regarding third-country branches. It also provides stronger tools for supervisors overseeing EU banks.

The new rules amending the CRR are expected to apply from 1 January 2025, with certain elements of the regulation phasing in over the coming years. Changes related to the supervision of credit institutions are implemented via an amendment of the CRDIV and will have to be transposed by member states by mid-2025.

New Payment Rules

On 28 June 2023, the European Commission (EC) published its legislative proposals for payment services, financial data access and the establishment of the digital euro.

The legislative proposals consist of, inter alia:

  • a third Payment Services Directive (PSD3) and a Payment Services Regulation (PSR);
  • a Regulation for Financial Data access (FIDA); and
  • a Regulation on the establishment of the digital euro (Digital Euro Regulation).

The PSD3, PSR and FIDA proposals are part of the EC “Financial data access and payments” package which was launched by the EC to modernise the regulatory landscape in relation to the provision of payment services and sharing financial services data.

The Digital Euro Regulation is part of the EC’s “single currency package” and sets out a framework for a possible new digital form of the euro that the ECB could choose to issue in the future, as a complement to cash.

The proposals will now go through the EU legislative process, which is expected to take around two years to complete. This brings the following expected timelines:

  • PSD3, PSR and FIDA will, based on the current proposals, take around 18-24 months to apply/enter into force after the texts are agreed upon. Assuming that the texts of the regimes will be agreed in 2025, the new regimes will become binding in 2026.
  • The Digital Euro Regulation will enter into force shortly after being finalised. However, the effect of the regulation will to a large extent depend on the progress regarding the development and issuance of the digital euro itself.

SSM Supervisory Priorities for 2023-2025

The ECB, in close collaboration with national competent authorities, has set the SSM supervisory priorities for 2023-2025. These priorities aim to strengthen supervisory efforts in delivering the medium-term strategic objectives while adjusting the focus to shifting challenges. Supervised institutions will be requested to strengthen their resilience to immediate macro-financial and geopolitical shocks (Priority 1), address digitalisation challenges and strengthen management bodies’ steering capabilities (Priority 2), and step up their efforts in addressing climate change (Priority 3).

EBA Financial Regulatory Work Programmes

Every year, the key EU financial regulatory institutions publish their annual Work Programmes, setting out their priorities for the year ahead. These priorities align with each institution’s broader longer-term “Strategy” (published every three to five years). On 3 October 2023, the EBA published its Work Programme for 2024. In 2024, the EBA will need to address a large number of mandates in a wide range of areas, building on the priorities defined in its programming document for the period 2024-2026:

  • promote and implement an effective and proportionate Single Rulebook;
  • foster financial stability in a sustainable economy; notably, the EBA will assess the need for changes to its stress testing methodology for the 2025 exercise;
  • enable an integrated regulatory reporting system for authorities and market discipline;
  • set up and start DORA oversight and MiCAR supervision (under DORA, the EBA will take part in 13 level-2 mandates, including oversight activities for which it will be assigned the role of Lead Overseer, while under MiCAR, the EBA expects to deliver around 20 technical standards and guidelines in 2024); and
  • increase focus on innovation and consumers and ensure a smooth transition to the new AML/CFT framework; the EBA indicates it expects AMLA to be established in 2024.

DNB Payment Strategy 2022-2025

The Payments Strategy 2022-2025 of the DNB focuses on safeguarding trust because of increasing digitalisation. The strategy has three priorities:

  • ensuring access to payments;
  • maintaining a robust and reliable payment structure; and
  • strengthening European and global payments, leveraging the Dutch experience.

A connected area is the risks associated with cybercrime attacks. Cyber resilience is to be given high priority. The Netherlands already has a test regime – TIBER tests – to understand if systems and infrastructure are resilient. These tests will be extended to include third parties who have a systemic role. Information sharing will receive a greater emphasis.

ESG requirements for Dutch-licensed banks primarily consist of (i) climate risk management requirements; and (ii) ESG disclosure requirements.

Climate Risk Management

Climate risk management requirements for banks primarily follow from the ECB’s Guide on climate-related and environmental risks (2020) (the “ECB Guide”). The ECB Guide is strictly speaking not binding for banks. However, it reflects the ECB’s understanding of how banks are expected to adequately manage climate risks under the current prudential framework, as primarily follows from CRD IV. The ECB, as direct supervisor of significant banks, applies the ECB Guide in its supervision. The DNB also applies the ECB Guide in its supervision of less significant banks, but in a proportionate manner.

The supervisory expectations in the ECB Guide can be summarised as follows:

  • Business Strategy: Banks should integrate short-, medium-, and long-term climate risks into their business strategies.
  • Risk appetite and governance: Banks should incorporate climate risks into their risk appetite frameworks, allocate responsibilities, and report aggregated risk data.
  • Risk management: Banks should integrate climate risks into the risk management framework, conduct regular reviews and consider these risks across a range of risks, including credit, liquidity and operational risks.

In 2022, the ECB set three deadlines for banks to progressively align their climate risk management practices with the ECB Guide: 

  • end of March 2023: to implement a materiality assessment (as detailed in the ECB Guide);
  • end of 2023: to include climate risks in the areas of strategy, governance and risk management; and
  • end of 2024: to achieve full alignment with supervisory expectations in the ECB Guide, ensuring the integration of climate and environmental risks into stress testing frameworks and the ICAAP.

In November 2023, the ECB communicated that it has started enforcement towards banks that have failed to adequately manage climate risks in line with the ECB’s expectations.

ESG Disclosure Requirements

According to the ECB Guide, banks should disclose material climate-related risks aligned with EU reporting guidelines. Additional (and more detailed) climate risk disclosures apply to large banks that are listed in the EEA (the Pillar 3 disclosures under the CRR).

Dutch-licensed banks that meet certain size criteria are within the scope of the Dutch implementation of the Non-Financial Reporting Directive (NFRD). These large banks must include a non-financial report in their annual accounts. This non-financial report covers environmental, social, and personnel matters, measures taken in respect of human rights and anti-corruption, as well as non-financial key performance indicators tied to the entity’s specific business activities. As of 2024, Dutch-licensed banks within the scope of the NFRD will have to publish additional information under the Corporate Sustainability Reporting Directive (CSRD) as implemented in Dutch law. 

Other ESG Requirements

Other ESG requirements relevant for Dutch-licensed banks include but are not limited to:

  • The EBA Guidelines on loan origination and monitoring: These guidelines detail how banks should incorporate ESG factors into their credit risk policies for corporate lending.
  • DCGC: The DCGC includes best practices on sustainability, emphasising long-term value creation for companies and the role of management boards in developing strategies and procedures to achieve this goal.
  • Sustainable Finance Disclosure Regulation (SFDR): Banks providing portfolio management or investment advice services are subject to disclosure requirements following from SFDR. These disclosures cover, among other ESG topics, the integration of sustainability risks into the bank’s investment processes, and how the bank considers adverse impacts that investments may have on sustainability.
Osborne Clarke N.V.

Jachthavenweg 130
1081 KJ, Amsterdam
The Netherlands

020 702 8600
Author Business Card

Trends and Developments


Osborne Clarke N.V. is a future-focused international legal practice with over 330 Partners and more than 1260+ talented lawyers working across 26 global locations. Osborne Clarke is a full-service office with nine law practices in the Netherlands: financial regulatory, banking and finance, corporate M&A, employment, pensions and incentives, tax, litigation and arbitration, real estate and infrastructure, tech, media and comms and notarial law. Osborne Clarke‘s financial regulatory practice has a standout reputation with clients and Dutch regulators. The financial regulation team primarily represents innovative and tech-driven clients in the field of banking, payments, investment services and cryptocurrency. It is also known as one of the most significant Dutch practices for licence applications to key regulators – the DNB and the AFM.


The Dutch Central Bank (De Nederlandsche Bank, DNB) identified 2023 as a key year in its four-year outlook on regulatory supervision 2021-2024 (Visie op toezicht 2021-2024). This outlook has been influential in shaping the regulatory environment in the Dutch banking sector and focuses on risk-based supervision, responding to technological innovations, ESG considerations, and combating money laundering and fraud. Notably, at least one bank successfully challenged the DNB’s positions on AML/CFT and sanctions implementation in 2023, suggesting a growing trend where challenging the regulator could yield favorable outcomes.

Looking ahead, Dutch-licensed banks face new challenges and regulatory changes. The Digital Operational Resilience Act (DORA) aims to bolster the digital operational resilience of the financial sector and requires banks to implement effective digital risk management practices. The DNB has already started monitoring banks’ compliance with DORA’s provisions, focusing on their capacity to manage ICT-related disruptions.

Additionally, the Markets in Crypto-Assets Regulation (MiCAR), another key legislation coming in next year, is set to impact the sector. However, unlike banks in some other jurisdictions, Dutch-licensed banks have shown limited interest in offering crypto-asset services. The full impact of MiCAR on Dutch-licensed banks is yet to be seen and might become more evident in the coming year.

The banking sector also anticipates major regulatory updates with the implementation of the Capital Requirements Regulation (CRR) and the Capital Requirements Directive (CRD VI), which are expected to come into effect in January 2025. These updates will introduce significant changes to the regulatory framework, impacting various aspects of banking operations and risk management.

Economic Developments

In 2023, global uncertainties, particularly due to the war in Ukraine and tensions in Gaza, significantly influenced the Dutch economy. Despite these challenges, the Netherlands showed resilience, particularly in overcoming the 2022 energy crisis. This resilience is reflected in the inflation rate for 2023, projected at 4.6%, a notable decrease from the 11.6% rate in 2022.

The European Banking Authority (EBA) focused on liquidity and funding risks in EU banks, examining the impact of rising interest rates on their business models and resilience in recovering from economic shocks. This heightened scrutiny was partly triggered by the forced takeover of Credit Suisse by UBS, raising questions about the quality of supervision and the management of liquidity risks. In the Netherlands, this translated to new market entrants seeking to establish banks facing increased evaluations by the DNB. More emphasis was placed on their business models and liquidity and funding risks. Existing Dutch-licensed banks, however, demonstrated robust capitalisation, maintaining high sector capital ratios.

The continued high interest rates, reaching 4% in September 2023, could pose challenges for Dutch-licensed banks in 2024, particularly regarding deposit repricing and funding costs. Interestingly, despite the high interest rates, Dutch-licensed banks have been slow in raising depositors’ interest rates. This delayed response has not significantly benefited fintechs or other deposit-taking entities, as only a small fraction (about 1%) of depositors switched institutions. Some Dutch bankers anticipate regulatory interventions in 2024 if interest rates remain elevated but are not carried over to Dutch depositors, potentially creating pressure for banks reliant on interest margins for earnings.

Macroprudential Developments

Another development is that Dutch-licensed banks are increasingly investing in debt originated by third parties, moving away from originating loans themselves. The DNB has been monitoring this development since 2019, and it is expected to continue into 2024. It is anticipated that the DNB will tighten supervision, and may expect banks to develop comprehensive credit oversight procedures, establish robust outsourcing arrangements with third-party originators, and implement AML procedures to ensure proper client due diligence is conducted when originating loans.

The banking sector also anticipates major regulatory updates with the new rules amending the CRR and CRD IV, of which the first is expected to come into effect in January 2025. These updates will introduce significant changes to the regulatory framework, impacting various aspects of banking operations and risk management of banks.

In addition to changes in capital adequacy requirements, CRD VI introduces new regulations, most of which do not follow from the Basel III framework. These include changes in the supervision of branches of institutions from third countries, which are comprehensively revised to make supervisory arbitrage more difficult and bring regulations for these third-country branches more in line with full banking license requirements for EU banks. Other such provisions concern, among other things, the suitability of directors (“fit and proper”), regulations around the Supervisory Review and Evaluation Process (SREP) and the integration of ESG factors into risk management.

Other key changes under CRR include, in particular, the standardised approach to credit risk (CRSA), the internal ratings-based approach (IRBA), and the capital requirements for operational risks. In addition, over a period of several years, the so-called output floor will be introduced in the EU, which will limit the use of internal ratings and risk models in the future.

Given this very rapidly approaching implementation date, Dutch-licensed banks are advised to start preparations for implementation as soon as possible.

ESG Regulatory Developments

The European Central Bank (ECB) has been firm in its commitment to integrate climate and environmental risks into its bank supervision activities since the release of its guide on climate-related and environmental risks in November 2020. This topic is now at the forefront of the Dutch supervisory agenda. While not all Dutch-licensed banks are directly supervised by the ECB, the DNB has committed to applying the same or tighter approach as the ECB. This means that, regardless of whether a Dutch-licensed bank is significant or not, the expectations and enforcement measures related to meeting climate risk management are alike.

The key aspects of the DNB’s application of the ECB guide include:

  • Self-assessment by banks: In early 2021, the DNB requested Dutch less significant banks to perform a self-assessment to evaluate their methods based on the ECB guide and develop action plans. These assessments and plans were then reviewed by the DNB as part of their supervisory process.
  • Guide’s role and recommendations: The ECB guide is not legally binding but serves as a foundation for supervisory discussions. However, given that the DNB has adopted the guidelines in supervising less significant banks, Dutch-licensed banks should consider how to meet the ECB guide in 2024 and where proportionality can be applied by considering the institution’s specific nature, size, and complexity.
  • Alignment with good practices: The DNB’s implementation of the ECB guide is in line with its own published “Good Practices” document on integrating climate-related risk considerations into banks’ risk management, ensuring a coherent supervisory approach across different types of financial institutions.

In line with banks in the rest of the EU, no Dutch-licensed bank has fully met the ECB’s expectations in 2023. As the ECB now signals its intention to roll out enforcement measures for banks that fall short of supervisory expectations, the DNB is likely to do the same in 2024 for less significant Dutch-licensed banks. As such, Dutch banks – both significant and less significant institutions – have to align their practices with these principles of prudent management of climate and environmental risks within the communicated deadlines or risk facing enforcement measures in 2024.

The DNB further published its own comprehensive guide to managing climate and environmental risks in March 2023. This DNB guide targets insurers, pension funds, premium pension institutions, investment firms, and electronic money and payment institutions. This DNB guide focuses on integrating climate and environmental risks into the core processes of these institutions and provides essential focal points and best practices, developed through feedback from both the sector and non-governmental organisations (NGOs).

AML and Sanction Regulations

2023 will go down as yet another year of heightened AML and sanction regulation compliance enforcement by the DNB. A fair number of Dutch-licensed banks have either completed or have been summoned by the DNB to update their Systematic Integrity Risk Analysis (SIRA) following a binding instruction from the DNB. The DNB requires Dutch-licensed banks to work on the basis of guided procedures to manage their integrity risks. Banks are expected to follow strict DNB guidelines to ensure a comprehensive and systematic approach to identifying, analysing, and managing integrity risks within the bank.

There are no signs of the DNB slowing down this approach. With fines in the hundreds of millions already dating back to 2018, further AML and sanction regulation fines are expected next year for a number of Dutch-licensed banks. This may include a number of major Dutch retail banks, at least one of which has received a binding instruction from the DNB in the summer of 2023. The DNB has identified a recurring issue among some Dutch-licensed banks – shortcomings in their risk assessments. These deficiencies lead to a lack of clear visibility into the banks’ exposure to potential risks associated with money laundering and terrorist financing. This all fits the pattern of the earlier AML and sanction regulation enforcement cases as well as a number of non-public investigations that are currently ongoing.

Notably, in 2023 at least one Dutch retail bank successfully challenged the DNB for alleged failures in meeting anti-money laundering controls. In a pivotal legal confrontation between the DNB and online bank Bunq, the Rotterdam court markedly slashed an administrative fine imposed by the DNB by 85%. This followed Bunq’s prior legal victory that is being perceived by the market as having significantly influenced the Dutch financial sector’s move towards a risk-based, technology-driven approach in monitoring customers for money laundering risks.

The court’s decision, reducing the fines from nearly EUR900,000 to about EUR128,250, represented a response to Bunq’s challenge against the DNB’s allegations of inadequate monitoring of ownership structures in foundations and charities, insufficient scrutiny of politically exposed persons, and failure in continuous customer monitoring. This case stands out in the Dutch banking sector, not just for the substantial fine reduction but also as a rare instance of a bank contesting the regulator’s decision, reflecting an evolving dynamic in regulatory compliance and AML and sanction regulation practices.

In a move that could be connected to Bunq’s legal victory, the DNB subsequently launched a public proposal in October 2023, titled “A new anti-money laundering approach for financial institutions and other stakeholders as part of a public consultation”. This proposal advocates for a more risk-based approach, more effective crime-fighting capabilities, and the prevention of overly stringent controls that may unnecessarily refuse or hinder customers. The DNB plans to release the final proposal document in early 2024.

The proposal follows the DNB’s call last year for a risk-based approach to preventing financial crime, as discussed in the report “Van herstel naar balans”. This approach emphasises efficiency and effectiveness in customer and transaction checks, leveraging innovative technology like machine learning, and focuses on risk-based methods. These methods are intended to be more targeted and also prevent strict controls from unnecessarily obstructing customer access to banking services and the financial system. Following the publication of the report, financial institutions and the DNB have discussed the implementation of this renewed approach in various roundtable meetings. The Dutch Banking Association (De Nederlandse Vereniging van Banken, DBA) has, based on these discussions, already published its own standards offering examples of how banks can comply with specific Dutch AML provisions.


In preparation for 2024, the DNB requires banks in the Netherlands to align with DORA, an EU regulation aimed at enhancing the IT security of financial entities. DORA focuses on several key areas:

  • ICT risk management: establishing principles and requirements for an ICT risk management framework;
  • third-party risk management: monitoring third-party risk providers and establishing key contractual provisions;
  • digital operational resilience testing: implementing both basic and advanced testing measures;
  • ICT-related incidents: setting general requirements for reporting major ICT-related incidents to competent authorities and sharing information on cyber threats; and
  • oversight of critical third-party providers: establishing an oversight framework for critical ICT third-party providers.

The timeline for implementing DORA includes a series of steps, such as public consultations and the delivery of policy products. By 17 January 2024, the first batch of policy products is expected to be delivered, followed by the second batch on 17 July 2024. DORA will be fully applicable in the Netherlands from 17 January 2025.

The DNB has already started monitoring banks’ compliance with DORA’s provisions. Given DORA’s complexity and profound impact on both banks’ internal operations and their outsourcing chains, compliance with DORA should be a top priority for every Dutch bank manager in 2024. The DNB expects Dutch-licensed banks and other financial entities to be actively working towards complying with these requirements, especially in areas of ICT risk and third-party provider management, to ensure full readiness by the 2025 application date.

Payment Developments

In 2023, the Dutch payment landscape exhibited a mix of enduring consumer habits and emerging trends. iDeal, the prominent online payment scheme in the Netherlands, is expected to continue to lead, albeit with a slight decrease in its share of e-commerce transactions compared to 2022. The Netherlands remains a debit card country but credit card usage for online purchases saw a modest increase, just as in 2022 (8% of total online transactions).

The trend towards using smartphones for online shopping is also expected to gain further momentum in 2024. 2022 and 2023 have shown a shift towards more mobile-centric consumer behaviour in the Netherlands. Despite this digital inclination, a notable number of consumers still showed a preference for in-store shopping, slightly moving away from the online shopping trend seen during the pandemic.

Amidst the rise of digital payments, cash transactions experienced a further decline in 2023. On top of that, the Dutch government proposed a legislative change to cap cash payments at EUR3,000 per transaction. The legislative initiative is still pending, with no definite date set for its implementation. Given that the effective date is not yet final and subject to parliamentary processes and legal formalities, it is uncertain whether this legislative change will be applicable in 2024.

The DNB Payments Strategy 2022-2025 outlines several key actions for banks that are relevant in 2024. Broadly, these actions are aimed at enhancing the accessibility and reliability of payment services in the Netherlands. For instance, the DNB calls for banks to improve personal service for customers and enhance communication, particularly for vulnerable groups such as the elderly and those with functional impairments. Additionally, banks are expected to participate in the Cash Covenant to ensure the availability of cash. These actions are part of the DNB’s broader goals to maintain a robust and secure payment system in the digital age.

Since the summer of 2022, Dutch payment institutions, electronic money institutions, investment firms, and settlement firms, have been allowed to use a dedicated segregated account to meet the obligation of safeguarding client funds. This change was part of the Financial Markets Amendment Act 2022, with early implementation chosen due to its practical necessity and absence of new obligations on businesses with further details on how to comply with this new safeguarding option pushed out to 2023 or later. Unfortunately, these further details have not yet been provided by the legislator, the DNB or the Dutch Authority for the Financial Markets (Autoriteit financiele markten, AFM) in 2023.

As a result, Dutch-licensed banks have been reluctant to offer these new accounts, leaving the market with no choice but to safeguard client funds in the traditional Dutch way in a separate legal entity (third-party fund foundation). This is generally considered an overly complex and innovation-hampering safeguarding solution. The DNB has been well aware of these limitations and launched an in-depth investigation into the use of third-party funds at Dutch payment institutions and electronic money institutions in the second part of 2023.

Market in Crypto-Asset Regulation

MiCAR is set to bring about a transformative shift in the EU cryptocurrency landscape when it becomes applicable in 2024. MiCAR aims to provide a comprehensive set of rules for the crypto-assets market, addressing concerns around consumer protection, market integrity, and financial stability.

More concretely, MiCAR encompasses ten key services, focusing on the regulation and oversight of crypto-assets and related activities. These services include the issuance and trading of crypto-assets, operating as a trading platform for these assets, and providing wallet services for secure storage and transfer of crypto-assets. They also cover advice and management services related to crypto-assets, managing and executing orders on behalf of clients, and underwriting or placing crypto-assets on a firm commitment basis. Additionally, MiCAR governs the operation of an exchange where crypto-assets can be exchanged for fiat currencies, and the custody and administration of these assets.

In some jurisdictions, for instance Germany, banks are expected by the regulator to act as custodians under MiCAR by providing wallet services for secure storage and transfer of crypto-assets. No such development has been identified for the Netherlands, even though the EU legislator clearly has envisioned a large role for banks under MiCAR. Not least because banks are the only financial institutions that are allowed to provide all ten crypto-asset services when MiCAR becomes applicable at the end of 2024 following a straightforward notification procedure. To date, it remains to be seen which Dutch-licensed banks will step into the crypto-asset services market themselves and to what extent other EU banks will be providing crypto-asset services on the basis of an EU-wide passport. For Dutch-licensed banks, the major questions are: What should be our strategy concerning cryptocurrencies? Are we going into this market or not? And do we know what our exposure to MiCAR is?

Fintech and Embedded Banking Trends

The Dutch fintech market witnessed significant growth in 2023, with a surge in electronic money institutions securing DNB licenses (now totalling 15 Dutch license holders) and a full-scope fintech clearing bank submitting an application for a banking license in the Netherlands. These companies are predominantly young and known for their high level of financial activity and international presence.

The products offered by these fintechs typically include a form of embedded payments or even full-suite embedded banking services, often developed in the UK market. These business models are geared towards cross-border services out of the Netherlands and thus have to be transposed to the Dutch market, DNB supervision standards, and ultimately the rest of the EU. However, Dutch players, including Dutch-licensed banks like Rabobank, ABN AMRO Clearing Bank, and global acquirer Adyen, have also expanded their services further, with specific embedded banking or Banking-as-a-Service offerings in 2023. This trend is expected to continue in 2024 and will likely result in further record-breaking partnerships between Dutch-licensed banks, service providers, and customers in the Netherlands in the coming years.

Osborne Clarke N.V.

Osborne Clarke N.V.
Jachthavenweg 130
1081 KJ, Amsterdam

020 702 8600
Author Business Card

Law and Practice


Osborne Clarke N.V. is a future-focused international legal practice with over 330 Partners and more than 1260+ talented lawyers working across 26 global locations. Osborne Clarke is a full-service office with nine law practices in the Netherlands: financial regulatory, banking and finance, corporate M&A, employment, pensions and incentives, tax, litigation and arbitration, real estate and infrastructure, tech, media and comms and notarial law. Osborne Clarke‘s financial regulatory practice has a standout reputation with clients and Dutch regulators. The financial regulation team primarily represents innovative and tech-driven clients in the field of banking, payments, investment services and cryptocurrency. It is also known as one of the most significant Dutch practices for licence applications to key regulators – the DNB and the AFM.

Trends and Developments


Osborne Clarke N.V. is a future-focused international legal practice with over 330 Partners and more than 1260+ talented lawyers working across 26 global locations. Osborne Clarke is a full-service office with nine law practices in the Netherlands: financial regulatory, banking and finance, corporate M&A, employment, pensions and incentives, tax, litigation and arbitration, real estate and infrastructure, tech, media and comms and notarial law. Osborne Clarke‘s financial regulatory practice has a standout reputation with clients and Dutch regulators. The financial regulation team primarily represents innovative and tech-driven clients in the field of banking, payments, investment services and cryptocurrency. It is also known as one of the most significant Dutch practices for licence applications to key regulators – the DNB and the AFM.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.